kerberos_derive_salting_principal() is bogus code

Dave Daugherty dave.daugherty at
Thu Jul 6 16:10:27 GMT 2006

As I mentioned earlier a while back we modified MIT Kerberos code base
1.4.1 krb5_get_init_creds(), and company so that we can pass in an empty
salt structure, which will be filled in with the DES salt returned from
the Windows KDC. We periodically submit our changes to MIT.  If this
helps you I can look into the status of this patch for you.

DES salt is a horrendous mess, especially since Windows 2K and 2k3 deal
with it differently depending on UPN settings - not to mention that it
has to be case exact where UPNs do not.
Dave Daugherty
Centrify Corp.

> Andrew Bartlett Sent: Wednesday, July 05, 2006 4:35 PM

> It was written for old RHEL systems without that support.

> Better would be to actually ask for the salt, either by a modified
> kerberos API, or volker's mini-krb5 testing implementation, as we only
> need to process 2 packets.

> Andrew Bartlett

More information about the samba-technical mailing list